Download ImpressCMS 1.3.7 and 1.2.9 (LTS) Releases Now

One of the top tenets of ImpressCMS is to be a secure platform for your websites. In response to a recent CVE report, additional validation and sanitation of user has been implemented in the 1.2 and 1.3 releases. Once again, we were aided by Pedro Ribeiro of Agile Information Security Ltd. in testing the patches for this issue.

If you ever discover a vulnerability or are uncertain about the security of ImpressCMS, please use our Security Issue Report form to let us know.

Download ImpressCMS 1.3.7 and 1.2.9 LTS (Long Term Support)

We continue to provide support for the 1.2 series of ImpressCMS. Once ImpressCMS 2.0 Final is released, the 1.2 support will be discontinued. The update for 1.2 (our Long Term Support version) is available on the ImpressCMS 1.2 product page

What is the risk?

Users with sufficient access to the core image manager could employ cross site scripting attacks on a site, or could be manipulated to deploy the attacks. Most attacks, like this one, are successful only if the Protector module is deactivated and HTML Purifier is disabled.

What has changed?

Additional filtering and validation of the search terms for images has been added, along with proper encoding of the output. The 1.3.7 release also contains some minor fixes for PDO (PHP Database Object) support and a missing language constant. The preferences page in the control panel now has its own stylesheet class.

In addition to applying the patch, you should review your group policies to be sure members of your site only have the access they need for their role.

Want to get involved?

If you're looking to join the ImpressCMS project, then get on board! All you need to do is head on over and complete the ImpressCMS Team form.